diff --git a/packages/vite/src/node/plugins/asset.ts b/packages/vite/src/node/plugins/asset.ts index ee96fef25cc343..ca8fcd4999bb88 100644 --- a/packages/vite/src/node/plugins/asset.ts +++ b/packages/vite/src/node/plugins/asset.ts @@ -29,8 +29,8 @@ export const duplicateAssets = new WeakMap< Map >() -const rawRE = /(\?|&)raw(?:&|$)/ -const urlRE = /(\?|&)url(?:&|$)/ +export const rawRE = /(\?|&)raw(?:&|$)/ +export const urlRE = /(\?|&)url(?:&|$)/ const assetCache = new WeakMap>() diff --git a/packages/vite/src/node/server/middlewares/static.ts b/packages/vite/src/node/server/middlewares/static.ts index 03306b68fc2197..304aa781dca2b8 100644 --- a/packages/vite/src/node/server/middlewares/static.ts +++ b/packages/vite/src/node/server/middlewares/static.ts @@ -174,7 +174,7 @@ export function isFileServingAllowed( return false } -function ensureServingAccess( +export function ensureServingAccess( url: string, server: ViteDevServer, res: ServerResponse, diff --git a/packages/vite/src/node/server/middlewares/transform.ts b/packages/vite/src/node/server/middlewares/transform.ts index 929c6856d34748..a11119e68bf983 100644 --- a/packages/vite/src/node/server/middlewares/transform.ts +++ b/packages/vite/src/node/server/middlewares/transform.ts @@ -35,6 +35,8 @@ import { ERR_OUTDATED_OPTIMIZED_DEP } from '../../plugins/optimizedDeps' import { getDepsOptimizer } from '../../optimizer' +import { rawRE, urlRE } from '../../plugins/asset' +import { ensureServingAccess } from './static' const debugCache = createDebugger('vite:cache') const isDebug = !!process.env.DEBUG @@ -147,6 +149,13 @@ export function transformMiddleware( } } + if ( + (rawRE.test(url) || urlRE.test(url)) && + !ensureServingAccess(url, server, res, next) + ) { + return + } + if ( isJSRequest(url) || isImportRequest(url) || diff --git a/playground/fs-serve/__tests__/fs-serve.spec.ts b/playground/fs-serve/__tests__/fs-serve.spec.ts index c22e5def30fe7d..fefbc419e43b2a 100644 --- a/playground/fs-serve/__tests__/fs-serve.spec.ts +++ b/playground/fs-serve/__tests__/fs-serve.spec.ts @@ -76,6 +76,11 @@ describe.runIf(isServe)('main', () => { expect(await page.textContent('.unsafe-fs-fetch-status')).toBe('403') }) + test('unsafe fs fetch', async () => { + expect(await page.textContent('.unsafe-fs-fetch-raw')).toBe('') + expect(await page.textContent('.unsafe-fs-fetch-raw-status')).toBe('403') + }) + test('unsafe fs fetch with special characters (#8498)', async () => { expect(await page.textContent('.unsafe-fs-fetch-8498')).toBe('') expect(await page.textContent('.unsafe-fs-fetch-8498-status')).toBe('403') diff --git a/playground/fs-serve/root/src/index.html b/playground/fs-serve/root/src/index.html index 565961d34cd889..b8ed6b18489692 100644 --- a/playground/fs-serve/root/src/index.html +++ b/playground/fs-serve/root/src/index.html @@ -35,6 +35,8 @@

Safe /@fs/ Fetch

Unsafe /@fs/ Fetch


 

+

+

 

 

 

@@ -166,6 +168,24 @@ 
Denied

       console.error(e)
     })
 
+  // not imported before, outside of root, treated as unsafe
+  fetch(
+    joinUrlSegments(
+      base,
+      joinUrlSegments('/@fs/', ROOT) + '/unsafe.json?import&raw',
+    ),
+  )
+    .then((r) => {
+      text('.unsafe-fs-fetch-raw-status', r.status)
+      return r.json()
+    })
+    .then((data) => {
+      text('.unsafe-fs-fetch-raw', JSON.stringify(data))
+    })
+    .catch((e) => {
+      console.error(e)
+    })
+
   // outside root with special characters #8498
   fetch('/@fs/' + ROOT + '/root/src/%2e%2e%2f%2e%2e%2funsafe%2ejson')
     .then((r) => {